re: Cannot delete file: Cannot read from the source file or disk
Saturday, March 13, 2004 at 4:49 am
Windows 2000 Annoyances Discussion Forum
Posted by T. Hill
(1 messages posted)
Say, my story is about ditto of almost all the rest, but however this was an invited
situation for the most part as I will explain.
As being an Admin, I guess we all study as much as we can from time to time, that
is when were not busy with other things. :-)
SO the Story goes as this, I have a small medium sized 2k/ Server, running all the
latest IIS 5.x and tools, your basic 2k box, hosting a test web site behind a DMZ,
also a Test FTP site as well as a remote Term box.
It Physically sits 3 feet from my workstation in my server closet next to my DC,
“Domain Controller”, they are a pair I built in the spring of 99, and are both 500
MHz boxes with all the goodies of the time, “decent servers so to speak”.
Now my DC, is running NT 4.x locked down like FT. KNOX x 3, so I have been told.
TO make the point, that not a single patch , configuration change or anything besides
tossing backup files to and fro in my archive drive on it along with remote sessions
to change security one in a while or maybe test something from that box remotely,
as it is headless, “no monitor/ keyboard, etc”. just a power wire and a single NIC,
with a cable to my internal LAN.
It’s withstood anything the world had thrown at it, on it’s proxy side, from any
virus / intrusion attempts etc since 01/06/99… It’s been up 24-7 365, I have faith
in NT 4.x for stability and security, as it’s my DC, it’s responsible for my security
also.
I also run 2k3/ server Enterprise , 2k/servers mostly you might say I am a 2k guy,
I like it and it’s very stable also… 2k3 platform is mostly my DEV , PLATFORM for
.net and .aspx SQL /etc…
Now in this test, we left an open 2k box sitting behind a test DMZ, just for sniffers
to come along and play, and surely enough sooner or later they began dropping in,
and making attempts to test the waters…
As you would expect there were attempts to gain as much control as they could, but
really it was most interesting in documenting this also, once they had used the commands
I have read about in this thread in many of the other dumps of logs, I also recognized
these my self as hacking attempts in my own logs previously.
One idea was to allow them to deposit their files and then remove their rights to
cover their trail, which they had been doing regularly, so in one test I had been
on the server while they were doing their dirty work and I had just changed the permissions
on the root subfolder I had the ftp share in. So I watched as they x-fered their
junk to the share, then as the log files always showed they would then have another
machine logon to quickly retrieve the data, then after downloading it they would
delete it…
Now it was a bit disturbing to me to initially notice that they had that much control,
but again I had given them full read write and change permissions…
So after allowing them to deposit I then unplugged the cable, they go the typical
error for trying to connect I am sure, but I quickly stopped the service and then
applied the changes to the shares and then again restarted the service and ftp server.
The had downloaded then tried to delete the files, and could not, so basically one
over on them.. :-)
Now what were they going to do , this had been a regular playground for a couple
weeks for them, but their evidence was in the log files and also I had scanned one
of their boxes in the process.
Now one would think that a hacker of this level would be smart enough to at least
deny ICMP pings and most any other thing of that sort…
And most do, but this one wise guy, no he was wide open , he even had his TSClient
32 up and facing the WAN side of his machine, I attempted to logon to see if I could
get any info…
It was an XP/ Pro box in Amsterdam, my trusty scanner, picked up his MAC, address,
and every service running on his box, also his net bios name and logon account etc…
SO in this case, I then traced the route info, dumped it to a capture, tracked down
his IP to his ISP, and advised the response tech at that end of the situation and
forwarded the info to the ISP.
Now Really the object would be to say exchange the files they are illegally using
my host to transfer on, with something that will actually render their machine useless
when they get them on their hard drive and attempt to re assemble these ripped DVD
parcels.…
I have been reading, and there are things that can be done, but since hackers also
may read this post , well I will not disclose any real details, as there is much
of the above fore mentioned fun to be had, I like the one guys explanation of the
“remove HACKER / Permanently / With Major Ass Kicking”, :-)
But not physically as these are only children, no actually to render their boxes
to have to be flattened and rebuilt as some of the poor victims of their pranks have
to do.
So basically, this box is expendable, and reloaded in about 45- 70 minutes depending
on configuration.
I am at no loss, but however I am determined to find a resolve for the above fore
mentioned issue, at which I also had taken some of the approaches earlier on, the
“dir /x” the “rd \\. \inetpub\ftproot\ [ suspect folder ]” in a means to get rid
of them also.
And this was after my traditional knowledge had failed to solve my issue of these
unwanted and basically un touchable folders…
I consider my self fairly familiar with a NT4 / 2000 infrastructure, and will make
no statement of being a pro by any means… but in finding that our hacker friends
had obtained so much control began to bother me also.
So I had already worked with any and all permissions of the NTFS, now no where have
I heard anyone speak of using “CACLS” from the safe mode command prompt ???
This is a utility from the command prompt that allows you to change permissions and
work with permissions on files from DOS level.
I will try this in combination with a few other ideas I have and get back to you
all to let you know what my results are, as the last post I read here, that MR.
Richard Novell, had advised to just use the Explorer interface and just use the Security
TAB in Advanced properties… ???
Yes this is standard practice, and I am sure that anyone here had already tried that,
and that’s why they eventually ended up searching this thread out in their browsers
to hopefully explain how to possibly get rid of this issue.
Now for some of you, I see this worked, and I am happy for you also, as you probably
had production servers and hated to think of having to flatten you boxes to get rid
of them also.
But in this case, it did not work…
I agree with one aspect of the idea that NTFS might not be sure how to deal with
these folders in explorer, but really when using the command prompt and 8.3 format
it should not be an issue.
The possibility that these file names might be implementing the special characters
thus we now might have another issue all together.
For now we are working on it, and I also think that since this is some time later
than the last known post of a real issue that these hackers might be using another
scheme in addition.
SO if anyone has any more ideas , please let us know, as I will also post any info
I find out here as we go…
Our goal is to successfully remove these folders, in order to be sure that this is
a full solution in the future, as well as address this known issue. As none of
the posted information has worked thus far.
I could have flattened the box and reloaded it faster than researching this article
and post, but mainly as an Admin, my goal is not to turn from these issues and walk
away, we truly need to get to the bottom of this… Because out there right now is
some Administrator that will be pulling their hair out on a production server for
no good reason if we can’t find a Resolution.
Good luck and I shall check back, T. Hill
And to any hackers reading this:
Note this, “With ISA 2004 and SMS” your days are going to be long and hard, and
with the current DEV team at “M” working very hard on addressing the latest infrastructure
Security, your days are numbered, rest assured on that…
On Saturday, February 7, 2004 at 8:44 am, Richard Novell wrote:
>You are all making the fix too hard!! all you need to do is: First make sure that
>you have "full" administrators authority on the "FTP" folder. Right click on the
>folder, then under the security tab make sure that "aministrator" has full authority,
>i.e. all box have check mark in them. Once this is done, you have to make sure that
>each subfolder has full authority "administraor" rights. if the "offending folder"
>does have complete and full "administrator" rights, you will be able to delete the
>folder Richard Novell
>
|
All messages in this thread [show all]
 | | | |  | re: Cannot delete file: Cannot read from the source file or disk (T. Hill: Sat, Mar 13, 2004, 4:49 am) |
| |
| |
Return to the Windows 2000 Discussion Forum
|
|
